Listen to this Post

Introduction:
Network traffic analysis is the frontline of modern cybersecurity, enabling defenders to detect stealthy command-and-control (C2) communication that bypasses traditional defenses. A comprehensive training approach, such as the one offered by Blackstorm Security, provides SOC analysts and incident responders with the skills to dissect malicious PCAPs, intercept encrypted traffic, and identify advanced persistent threats hiding within network noise.
Learning Objectives:
- Analyze malicious PCAPs to extract indicators of compromise (IOCs) and identify C2 beacons.
- Intercept and decrypt encrypted network communications using MITM techniques.
- Deploy open-source frameworks like Zeek and RITA for automated C2 detection.
You Should Know:
- Hands-On Malicious PCAP Analysis: From Triage to IOC Extraction
Analyzing a malicious packet capture (PCAP) requires a systematic approach to identify the infected host, the C2 server, and the data exfiltrated. This step-by-step guide uses a real-world scenario involving a Pupy RAT infection and abuses of NetSupport Manager.
Step-by-Step Guide:
Step 1: Set Up an Isolated Analysis Environment
Before opening any PCAP, ensure your virtual machine’s network adapter is disabled to prevent accidental callbacks to live C2 infrastructure.
On Linux (Debian-based), disable network interfaces sudo ifconfig eth0 down Or use NetworkManager to turn off all connections nmcli networking off
Step 2: Initial Triage in Wireshark
Load the PCAP into Wireshark and apply filters to remove noise and surface suspicious web requests and TLS handshakes.
Display filter in Wireshark (http.request or tls.handshake.type eq 1) and !(ssdp)
This filter reveals POST requests to typosquatted domains (e.g., event-time-microsoft[.]org) and TLS handshakes to known malicious domains. Look for randomized URI paths and unusual User-Agent strings (e.g., WindowsPowerShell/5.1...), which indicate script-based malware beacons.
Step 3: Identify the Compromised Host
From the filtered traffic, extract the internal IP and hostname of the infected machine. In the Pupy RAT example, the compromised host was DESKTOP-5AVE44C.massfriction[.]com.
Step 4: Pivot to OSINT for Threat Intelligence
Export suspicious domains (e.g., hillcoweb[.]com) and query threat intelligence platforms.
– Use `nslookup` or `dig` to resolve domains and check for malicious IPs.
– Query AbuseIPDB or ThreatFox via CLI or browser.
Check domain reputation using threatfox-cli (if installed) threatfox-cli query domain hillcoweb[.]com
Step 5: Extract Artifacts with NetworkMiner
NetworkMiner passively reconstructs sessions and extracts files, credentials, and hosts from the PCAP.
– Load the PCAP into NetworkMiner (File → Open Capture).
– Review the “Hosts” tab to see outbound connections.
– Check the “Credentials” tab for extracted Kerberos hashes or plaintext passwords. In the Pupy RAT case, NetworkMiner extracted Kerberos hashes for user ‘rgaines’.
Step 6: Deep Dive with TShark and Command-Line Analysis
For large PCAPs, use TShark and tcpdump to quickly extract relevant data.
Extract all HTTP requests and responses tshark -r malicious.pcap -Y "http.request or http.response" -T fields -e http.host -e http.request.uri -e http.response.code Extract all TLS SNI (Server Name Indication) fields tshark -r malicious.pcap -Y "tls.handshake.extensions_server_name" -T fields -e tls.handshake.extensions_server_name Count unique source IPs that initiated TCP connections tshark -r malicious.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0" -T fields -e ip.src | sort | uniq -c
2. Detecting C2 Communications Using Zeek and RITA
Modern C2 traffic often uses encrypted channels (TLS) or disguises itself as normal web traffic. The combination of Zeek (formerly Bro) for network metadata extraction and RITA (Real Intelligence Threat Analytics) for behavioral analysis provides a powerful, open-source solution for hunting C2 beacons and DNS tunneling.
What the Tools Do:
- Zeek parses live or recorded traffic into structured logs (conn.log, dns.log, http.log, ssl.log) without decrypting payloads.
- RITA analyzes Zeek logs to detect beaconing (periodic outbound connections), long connections, and DNS tunneling based on entropy and timing.
Step-by-Step Guide:
Step 1: Install Zeek
On Ubuntu 22.04/24.04 sudo apt update && sudo apt install zeek -y Or use the official Docker container sudo wget -O /usr/local/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek sudo chmod +x /usr/local/bin/zeek zeek start
Step 2: Capture or Import PCAP into Zeek
Process a PCAP file to generate Zeek logs.
zeek -Cr malicious.pcap This creates multiple log files in the current directory (conn.log, dns.log, etc.)
Step 3: Install RITA
Download the latest RITA installer wget https://github.com/activecm/rita/releases/download/v4.11.0/rita-v4.11.0-installer.tar.gz tar -xf rita-v4.11.0-installer.tar.gz cd rita-v4.11.0-installer sudo ./install_rita.sh localhost
Step 4: Import Zeek Logs into RITA
rita import --database=malware_analysis --logs=/path/to/zeek/logs
Step 5: Analyze for Beaconing and C2 Patterns
Show beaconing scores for all connections rita show-beacons malware_analysis
Focus on entries with high beacon scores, regular intervals (e.g., 30 seconds), and small packet sizes. The `show-long-connections` command can reveal persistent C2 channels.
rita show-long-connections malware_analysis
Step 6: Export HTML Report
RITA can generate an HTML report for easy sharing and visualization.
rita html-report malware_analysis --output-dir /var/www/html/rita_report
This report includes timelines of beaconing activity, DNS tunneling detections, and threat intel matches.
- Intercepting Secure Communications: Building a Transparent MITM Router
Understanding how to intercept and decrypt “secure” TLS traffic is crucial for blue teams to simulate attacks and test network defenses. This technique, while often associated with offensive security, demonstrates why certificate validation is essential and how attackers can bypass encryption.
What This Does:
A transparent intercepting router manipulates network traffic using ARP spoofing or DHCP configuration to redirect traffic through an interception proxy (like mitmproxy), which performs SSL/TLS termination and re-encryption. IoT devices that fail to validate server certificates are particularly vulnerable.
Step-by-Step Guide:
Step 1: Set Up a Linux Machine as a Transparent Router
Use a Raspberry Pi or any Linux computer with two network interfaces (or one interface with a Wi-Fi adapter in AP mode). Install required packages for creating an access point。
sudo apt update && sudo apt install hostapd dnsmasq iptables mitmproxy -y
Step 2: Configure HostAPD for Wi-Fi Access Point
Create `/etc/hostapd/hostapd.conf` with the following:
interface=wlan0 ssid=EvilTwinAP hw_mode=g channel=7 wmm_enabled=0 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0
Step 3: Configure dnsmasq for DHCP and DNS
Edit `/etc/dnsmasq.conf`:
interface=wlan0 dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h dhcp-option=3,192.168.4.1 Gateway is the intercepting host dhcp-option=6,192.168.4.1 DNS server is the intercepting host
Step 4: Enable IP Forwarding and Set Up iptables Rules
Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Redirect all HTTP and HTTPS traffic to mitmproxy ports iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080
Step 5: Run mitmproxy in Transparent Mode
mitmproxy --mode transparent --showhost
Connecting a client device to the “EvilTwinAP” will now route all HTTP and HTTPS traffic through mitmproxy. The proxy will display all decrypted requests and responses, including any cleartext credentials sent within the TLS tunnel.
- Cloud Hardening: Detecting Malicious Infrastructure via Passive DNS
Many C2 servers leverage cloud providers like AWS, Azure, or DigitalOcean to avoid reputation blacklists. Blue teams can detect these by correlating passive DNS data and analyzing SSL certificate fingerprints.
Step-by-Step Guide:
Step 1: Extract SSL Certificates from PCAP
Use tshark to export all SSL certificates captured in a PCAP file.
Export all SSL certificates to a directory tshark -r traffic.pcap --export-tls-session-keys keys.txt -T fields -e tls.handshake.certificate
Step 2: Analyze Certificate Subject and Issuer
Extract issuer and subject details from certificates openssl x509 -in certificate.crt -text -noout | grep -E "Issuer:|Subject:"
Look for certificates that are self-signed, have unusually short lifespans (e.g., less than 30 days), or contain mismatched CN/SAN fields.
Step 3: Cross-Reference with Cloud Provider Subnets
Use `whois` to check if the IP address belongs to a known cloud range.
whois 45.131.214.85 | grep -E "OrgName|NetName|CIDR"
If the IP belongs to a cloud provider, check for historical reports on threat intel platforms.
5. Windows-Based Network Forensics: Using PowerShell and Sysmon
While Wireshark is cross-platform, Windows environments require additional telemetry for host-based network correlation. Sysmon (System Monitor) logs network connections, process creation, and DNS queries, providing context often missing in raw PCAPs.
Step-by-Step Guide:
Step 1: Install and Configure Sysmon
Download Sysmon from Microsoft and install with a comprehensive configuration (e.g., SwiftOnSecurity’s config).
Download Sysmon and config Invoke-WebRequest -Uri https://live.sysinternals.com/sysmon64.exe -OutFile sysmon64.exe Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile sysmonconfig.xml Install Sysmon .\sysmon64.exe -accepteula -i .\sysmonconfig.xml
Step 2: Query Network Connections from Event Logs
Use PowerShell to extract network connection events (Event ID 3) from the Sysmon log.
Get all network connections from the last hour
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=3; StartTime=(Get-Date).AddHours(-1)} |
ForEach-Object {
$xml = [bash]$<em>.ToXml()
$data = $xml.Event.EventData.Data
$sourceIP = ($data | Where-Object {$</em>.Name -eq 'SourceIp'}).'text'
$destIP = ($data | Where-Object {$<em>.Name -eq 'DestinationIp'}).'text'
$destPort = ($data | Where-Object {$</em>.Name -eq 'DestinationPort'}).'text'
Write-Output "$sourceIP -> $destIP : $destPort"
}
Step 3: Correlate with PCAP Data
Cross-reference the process ID (PID) associated with suspicious outbound connections to determine which executable initiated the traffic. This helps distinguish malware from legitimate applications.
Step 4: Monitor DNS Queries for Data Exfiltration
Sysmon Event ID 22 logs DNS queries. High entropy in subdomain lengths (e.g., long.random.subdomain.attack.com) is a classic sign of DNS tunneling.
Show DNS queries with suspiciously long subdomains
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object { $<em>.Id -eq 22 } |
ForEach-Object {
$xml = [bash]$</em>.ToXml()
$query = ($xml.Event.EventData.Data | Where-Object {$_.Name -eq 'QueryName'}).'text'
if ($query.Length -gt 50) { Write-Output "Suspicious DNS: $query" }
}
What Undercode Say:
- Passive DNS and SSL fingerprinting directly expose malicious infrastructure hiding behind encryption and cloud providers。
- The combination of Zeek, RITA, and Sysmon provides a complete, open-source hunting stack that rivals expensive commercial solutions。
- Transparent MITM attacks remain highly effective against IoT devices, revealing the critical importance of certificate validation even in low-cost products。
- NetworkMiner’s passive artifact extraction often recovers credentials and files that memory analysis or host forensics might miss。
- Adapting these techniques to cloud-native environments requires integrating similar telemetry from VPC flow logs, cloud load balancers, and API gateways。
Prediction:
As C2 frameworks increasingly adopt encrypted, legitimate-looking protocols (e.g., HTTPS over common CDNs), signature-based detection will become obsolete. The future of network threat analysis will rely on behavioral and ML-based anomaly detection, integrated with SIEM and SOAR platforms to enable real-time automated response. Investigative skills such as packet analysis and custom I/O pipeline scripting will remain essential for validating automated alerts and hunting novel threats.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Aleborges Dfir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


